1. Field
The present invention relates generally to a computing device that is capable of detecting if an application is malware.
2. Relevant Background
Computing devices are often used to run diverse applications which originate from many sources. Unfortunately, applications with malicious intent (e.g., malware) are often installed onto a user's computing device. Users are typically unaware of this because malicious applications often masquerade as well known applications. Further, these malicious applications utilize more permissions than are necessary for their functions.
Protecting computing devices from security threats, such as malware, is a concern for modern computing devices. Malware includes unwanted applications that attempt to harm a computing device or a user. Different types of malware include Trojans, worms, key-loggers, viruses, backdoors and spyware. Malware authors may be motivated by a desire to gather personal information, such as credit card numbers and bank account numbers or cause a cell phone to connect to paid services. Thus, there is a financial incentive motivating malware authors to develop more sophisticated methods for evading detection.
Traditional malware signature detection methods extract signatures from an invariant portion of the actual executable part of a target application. Signature-based malware detection requires a signature (e.g., a unique pattern in the malware's code) for each malware variant. Therefore, it is impossible to detect unknown malware utilizing signature-based malware detection. In addition, even for known malware, there tends to be a delay between the detection of the signature and when it is actually updated on a computing device. Further, malware checking using signatures is often processor and memory intensive. This is especially more difficult for mobile computing devices. Also, because signature checking is expensive on mobile devices, such as cell phones, many detectors simply check the application filenames for well known rogue applications.
Because of these issues, it would be beneficial to utilize behavior analysis for the purpose of characterizing, comparing, and classifying applications on a computing device to determine whether applications are malware—which is less processor and memory intensive and can occur in a much quicker fashion.